Upstream version 10.39.225.0
[platform/framework/web/crosswalk.git] / src / third_party / boringssl / src / ssl / d1_srvr.c
1 /*
2  * DTLS implementation written by Nagendra Modadugu
3  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005. 
4  */
5 /* ====================================================================
6  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  *
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in
17  *    the documentation and/or other materials provided with the
18  *    distribution.
19  *
20  * 3. All advertising materials mentioning features or use of this
21  *    software must display the following acknowledgment:
22  *    "This product includes software developed by the OpenSSL Project
23  *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
24  *
25  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
26  *    endorse or promote products derived from this software without
27  *    prior written permission. For written permission, please contact
28  *    openssl-core@OpenSSL.org.
29  *
30  * 5. Products derived from this software may not be called "OpenSSL"
31  *    nor may "OpenSSL" appear in their names without prior written
32  *    permission of the OpenSSL Project.
33  *
34  * 6. Redistributions of any form whatsoever must retain the following
35  *    acknowledgment:
36  *    "This product includes software developed by the OpenSSL Project
37  *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
38  *
39  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
40  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
41  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
42  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
43  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
44  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
45  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
46  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
48  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
49  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
50  * OF THE POSSIBILITY OF SUCH DAMAGE.
51  * ====================================================================
52  *
53  * This product includes cryptographic software written by Eric Young
54  * (eay@cryptsoft.com).  This product includes software written by Tim
55  * Hudson (tjh@cryptsoft.com).
56  *
57  */
58 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
59  * All rights reserved.
60  *
61  * This package is an SSL implementation written
62  * by Eric Young (eay@cryptsoft.com).
63  * The implementation was written so as to conform with Netscapes SSL.
64  *
65  * This library is free for commercial and non-commercial use as long as
66  * the following conditions are aheared to.  The following conditions
67  * apply to all code found in this distribution, be it the RC4, RSA,
68  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
69  * included with this distribution is covered by the same copyright terms
70  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
71  *
72  * Copyright remains Eric Young's, and as such any Copyright notices in
73  * the code are not to be removed.
74  * If this package is used in a product, Eric Young should be given attribution
75  * as the author of the parts of the library used.
76  * This can be in the form of a textual message at program startup or
77  * in documentation (online or textual) provided with the package.
78  *
79  * Redistribution and use in source and binary forms, with or without
80  * modification, are permitted provided that the following conditions
81  * are met:
82  * 1. Redistributions of source code must retain the copyright
83  *    notice, this list of conditions and the following disclaimer.
84  * 2. Redistributions in binary form must reproduce the above copyright
85  *    notice, this list of conditions and the following disclaimer in the
86  *    documentation and/or other materials provided with the distribution.
87  * 3. All advertising materials mentioning features or use of this software
88  *    must display the following acknowledgement:
89  *    "This product includes cryptographic software written by
90  *     Eric Young (eay@cryptsoft.com)"
91  *    The word 'cryptographic' can be left out if the rouines from the library
92  *    being used are not cryptographic related :-).
93  * 4. If you include any Windows specific code (or a derivative thereof) from
94  *    the apps directory (application code) you must include an acknowledgement:
95  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
96  *
97  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
98  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
99  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
100  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
101  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
102  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
103  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
104  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
105  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
106  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
107  * SUCH DAMAGE.
108  *
109  * The licence and distribution terms for any publically available version or
110  * derivative of this code cannot be changed.  i.e. this code cannot simply be
111  * copied and put under another distribution licence
112  * [including the GNU Public Licence.]
113  */
114
115 #include <stdio.h>
116
117 #include <openssl/bn.h>
118 #include <openssl/buf.h>
119 #include <openssl/dh.h>
120 #include <openssl/evp.h>
121 #include <openssl/md5.h>
122 #include <openssl/obj.h>
123 #include <openssl/rand.h>
124 #include <openssl/x509.h>
125
126 #include "ssl_locl.h"
127
128 static const SSL_METHOD *dtls1_get_server_method(int ver);
129 static int dtls1_send_hello_verify_request(SSL *s);
130
131 static const SSL_METHOD *dtls1_get_server_method(int ver)
132         {
133         if (ver == DTLS1_VERSION)
134                 return(DTLSv1_server_method());
135         else if (ver == DTLS1_2_VERSION)
136                 return(DTLSv1_2_server_method());
137         else
138                 return(NULL);
139         }
140
141 IMPLEMENT_dtls1_meth_func(DTLS1_VERSION,
142                         DTLSv1_server_method,
143                         dtls1_accept,
144                         ssl_undefined_function,
145                         dtls1_get_server_method,
146                         DTLSv1_enc_data)
147
148 IMPLEMENT_dtls1_meth_func(DTLS1_2_VERSION,
149                         DTLSv1_2_server_method,
150                         dtls1_accept,
151                         ssl_undefined_function,
152                         dtls1_get_server_method,
153                         DTLSv1_2_enc_data)
154
155 IMPLEMENT_dtls1_meth_func(DTLS_ANY_VERSION,
156                         DTLS_server_method,
157                         dtls1_accept,
158                         ssl_undefined_function,
159                         dtls1_get_server_method,
160                         DTLSv1_2_enc_data)
161
162 int dtls1_accept(SSL *s)
163         {
164         BUF_MEM *buf;
165         void (*cb)(const SSL *ssl,int type,int val)=NULL;
166         unsigned long alg_a;
167         int ret= -1;
168         int new_state,state,skip=0;
169         int listen;
170
171         ERR_clear_error();
172         ERR_clear_system_error();
173
174         if (s->info_callback != NULL)
175                 cb=s->info_callback;
176         else if (s->ctx->info_callback != NULL)
177                 cb=s->ctx->info_callback;
178         
179         listen = s->d1->listen;
180
181         /* init things to blank */
182         s->in_handshake++;
183         if (!SSL_in_init(s) || SSL_in_before(s)) SSL_clear(s);
184
185         s->d1->listen = listen;
186
187         if (s->cert == NULL)
188                 {
189                 OPENSSL_PUT_ERROR(SSL, dtls1_accept, SSL_R_NO_CERTIFICATE_SET);
190                 return(-1);
191                 }
192
193         for (;;)
194                 {
195                 state=s->state;
196
197                 switch (s->state)
198                         {
199                 case SSL_ST_RENEGOTIATE:
200                         s->renegotiate=1;
201                         /* s->state=SSL_ST_ACCEPT; */
202
203                 case SSL_ST_BEFORE:
204                 case SSL_ST_ACCEPT:
205                 case SSL_ST_BEFORE|SSL_ST_ACCEPT:
206                 case SSL_ST_OK|SSL_ST_ACCEPT:
207
208                         s->server=1;
209                         if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_START,1);
210
211                         if ((s->version & 0xff00) != (DTLS1_VERSION & 0xff00))
212                                 {
213                                 OPENSSL_PUT_ERROR(SSL, dtls1_accept, ERR_R_INTERNAL_ERROR);
214                                 return -1;
215                                 }
216                         s->type=SSL_ST_ACCEPT;
217
218                         if (s->init_buf == NULL)
219                                 {
220                                 if ((buf=BUF_MEM_new()) == NULL)
221                                         {
222                                         ret= -1;
223                                         goto end;
224                                         }
225                                 if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
226                                         {
227                                         ret= -1;
228                                         goto end;
229                                         }
230                                 s->init_buf=buf;
231                                 }
232
233                         if (!ssl3_setup_buffers(s))
234                                 {
235                                 ret= -1;
236                                 goto end;
237                                 }
238
239                         s->init_num=0;
240
241                         if (s->state != SSL_ST_RENEGOTIATE)
242                                 {
243                                 /* Ok, we now need to push on a buffering BIO so that
244                                  * the output is sent in a way that TCP likes :-)
245                                  * ...but not with SCTP :-)
246                                  */
247                                         if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
248
249                                 ssl3_init_finished_mac(s);
250                                 s->state=SSL3_ST_SR_CLNT_HELLO_A;
251                                 s->ctx->stats.sess_accept++;
252                                 }
253                         else
254                                 {
255                                 /* s->state == SSL_ST_RENEGOTIATE,
256                                  * we will just send a HelloRequest */
257                                 s->ctx->stats.sess_accept_renegotiate++;
258                                 s->state=SSL3_ST_SW_HELLO_REQ_A;
259                                 }
260
261                         break;
262
263                 case SSL3_ST_SW_HELLO_REQ_A:
264                 case SSL3_ST_SW_HELLO_REQ_B:
265
266                         s->shutdown=0;
267                         dtls1_clear_record_buffer(s);
268                         dtls1_start_timer(s);
269                         ret=ssl3_send_hello_request(s);
270                         if (ret <= 0) goto end;
271                         s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
272                         s->state=SSL3_ST_SW_FLUSH;
273                         s->init_num=0;
274
275                         ssl3_init_finished_mac(s);
276                         break;
277
278                 case SSL3_ST_SW_HELLO_REQ_C:
279                         s->state=SSL_ST_OK;
280                         break;
281
282                 case SSL3_ST_SR_CLNT_HELLO_A:
283                 case SSL3_ST_SR_CLNT_HELLO_B:
284                 case SSL3_ST_SR_CLNT_HELLO_C:
285                 case SSL3_ST_SR_CLNT_HELLO_D:
286
287                         s->shutdown=0;
288                         ret=ssl3_get_client_hello(s);
289                         if (ret <= 0) goto end;
290                         dtls1_stop_timer(s);
291
292                         if (ret == 1 && (SSL_get_options(s) & SSL_OP_COOKIE_EXCHANGE))
293                                 s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A;
294                         else
295                                 s->state = SSL3_ST_SW_SRVR_HELLO_A;
296
297                         s->init_num=0;
298
299                         /* Reflect ClientHello sequence to remain stateless while listening */
300                         if (listen)
301                                 {
302                                 memcpy(s->s3->write_sequence, s->s3->read_sequence, sizeof(s->s3->write_sequence));
303                                 }
304
305                         /* If we're just listening, stop here */
306                         if (listen && s->state == SSL3_ST_SW_SRVR_HELLO_A)
307                                 {
308                                 ret = 2;
309                                 s->d1->listen = 0;
310                                 /* Set expected sequence numbers
311                                  * to continue the handshake.
312                                  */
313                                 s->d1->handshake_read_seq = 2;
314                                 s->d1->handshake_write_seq = 1;
315                                 s->d1->next_handshake_write_seq = 1;
316                                 goto end;
317                                 }
318                         
319                         break;
320                         
321                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A:
322                 case DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B:
323
324                         ret = dtls1_send_hello_verify_request(s);
325                         if ( ret <= 0) goto end;
326                         s->state=SSL3_ST_SW_FLUSH;
327                         s->s3->tmp.next_state=SSL3_ST_SR_CLNT_HELLO_A;
328
329                         /* HelloVerifyRequest resets Finished MAC */
330                         ssl3_init_finished_mac(s);
331                         break;
332                         
333
334                 case SSL3_ST_SW_SRVR_HELLO_A:
335                 case SSL3_ST_SW_SRVR_HELLO_B:
336                         s->renegotiate = 2;
337                         dtls1_start_timer(s);
338                         ret=ssl3_send_server_hello(s);
339                         if (ret <= 0) goto end;
340
341                         if (s->hit)
342                                 {
343                                 if (s->tlsext_ticket_expected)
344                                         s->state=SSL3_ST_SW_SESSION_TICKET_A;
345                                 else
346                                         s->state=SSL3_ST_SW_CHANGE_A;
347                                 }
348                         else
349                                 s->state=SSL3_ST_SW_CERT_A;
350                         s->init_num=0;
351                         break;
352
353                 case SSL3_ST_SW_CERT_A:
354                 case SSL3_ST_SW_CERT_B:
355                         /* Check if it is anon DH or normal PSK */
356                         if (!(s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL)
357                                 && !(s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
358                                 {
359                                 dtls1_start_timer(s);
360                                 ret=ssl3_send_server_certificate(s);
361                                 if (ret <= 0) goto end;
362                                 if (s->s3->tmp.certificate_status_expected)
363                                         s->state=SSL3_ST_SW_CERT_STATUS_A;
364                                 else
365                                         s->state=SSL3_ST_SW_KEY_EXCH_A;
366                                 }
367                         else
368                                 {
369                                 skip = 1;
370                                 s->state=SSL3_ST_SW_KEY_EXCH_A;
371                                 }
372                         s->init_num=0;
373                         break;
374
375                 case SSL3_ST_SW_KEY_EXCH_A:
376                 case SSL3_ST_SW_KEY_EXCH_B:
377                         alg_a = s->s3->tmp.new_cipher->algorithm_auth;
378
379                         /* Send a ServerKeyExchange message if:
380                          * - The key exchange is ephemeral or anonymous
381                          *   Diffie-Hellman.
382                          * - There is a PSK identity hint.
383                          *
384                          * TODO(davidben): This logic is currently duplicated
385                          * in s3_srvr.c. Fix this. In the meantime, keep them
386                          * in sync.
387                          */
388                         if (ssl_cipher_requires_server_key_exchange(s->s3->tmp.new_cipher) ||
389                             ((alg_a & SSL_aPSK) && s->session->psk_identity_hint))
390                                 {
391                                 dtls1_start_timer(s);
392                                 ret=ssl3_send_server_key_exchange(s);
393                                 if (ret <= 0) goto end;
394                                 }
395                         else
396                                 skip=1;
397
398                         s->state=SSL3_ST_SW_CERT_REQ_A;
399                         s->init_num=0;
400                         break;
401
402                 case SSL3_ST_SW_CERT_REQ_A:
403                 case SSL3_ST_SW_CERT_REQ_B:
404                         if (/* don't request cert unless asked for it: */
405                                 !(s->verify_mode & SSL_VERIFY_PEER) ||
406                                 /* if SSL_VERIFY_CLIENT_ONCE is set,
407                                  * don't request cert during re-negotiation: */
408                                 ((s->session->peer != NULL) &&
409                                  (s->verify_mode & SSL_VERIFY_CLIENT_ONCE)) ||
410                                 /* never request cert in anonymous ciphersuites
411                                  * (see section "Certificate request" in SSL 3 drafts
412                                  * and in RFC 2246): */
413                                 ((s->s3->tmp.new_cipher->algorithm_auth & SSL_aNULL) &&
414                                  /* ... except when the application insists on verification
415                                   * (against the specs, but s3_clnt.c accepts this for SSL 3) */
416                                  !(s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) ||
417                                 /* With normal PSK Certificates and
418                                  * Certificate Requests are omitted */
419                                 (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kPSK))
420                                 {
421                                 /* no cert request */
422                                 skip=1;
423                                 s->s3->tmp.cert_request=0;
424                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
425                                 }
426                         else
427                                 {
428                                 s->s3->tmp.cert_request=1;
429                                 dtls1_start_timer(s);
430                                 ret=ssl3_send_certificate_request(s);
431                                 if (ret <= 0) goto end;
432 #ifndef NETSCAPE_HANG_BUG
433                                 s->state=SSL3_ST_SW_SRVR_DONE_A;
434 #else
435                                 s->state=SSL3_ST_SW_FLUSH;
436                                 s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
437 #endif
438                                 s->init_num=0;
439                                 }
440                         break;
441
442                 case SSL3_ST_SW_SRVR_DONE_A:
443                 case SSL3_ST_SW_SRVR_DONE_B:
444                         dtls1_start_timer(s);
445                         ret=ssl3_send_server_done(s);
446                         if (ret <= 0) goto end;
447                         s->s3->tmp.next_state=SSL3_ST_SR_CERT_A;
448                         s->state=SSL3_ST_SW_FLUSH;
449                         s->init_num=0;
450                         break;
451                 
452                 case SSL3_ST_SW_FLUSH:
453                         s->rwstate=SSL_WRITING;
454                         if (BIO_flush(s->wbio) <= 0)
455                                 {
456                                 /* If the write error was fatal, stop trying */
457                                 if (!BIO_should_retry(s->wbio))
458                                         {
459                                         s->rwstate=SSL_NOTHING;
460                                         s->state=s->s3->tmp.next_state;
461                                         }
462                                 
463                                 ret= -1;
464                                 goto end;
465                                 }
466                         s->rwstate=SSL_NOTHING;
467                         s->state=s->s3->tmp.next_state;
468                         break;
469
470                 case SSL3_ST_SR_CERT_A:
471                 case SSL3_ST_SR_CERT_B:
472                         if (s->s3->tmp.cert_request)
473                                 {
474                                 ret=ssl3_get_client_certificate(s);
475                                 if (ret <= 0) goto end;
476                                 }
477                         s->init_num=0;
478                         s->state=SSL3_ST_SR_KEY_EXCH_A;
479                         break;
480
481                 case SSL3_ST_SR_KEY_EXCH_A:
482                 case SSL3_ST_SR_KEY_EXCH_B:
483                         ret=ssl3_get_client_key_exchange(s);
484                         if (ret <= 0)
485                                 goto end;
486                         s->state=SSL3_ST_SR_CERT_VRFY_A;
487                         s->init_num=0;
488                         break;
489
490                 case SSL3_ST_SR_CERT_VRFY_A:
491                 case SSL3_ST_SR_CERT_VRFY_B:
492
493                         s->d1->change_cipher_spec_ok = 1;
494                         /* we should decide if we expected this one */
495                         ret=ssl3_get_cert_verify(s);
496                         if (ret <= 0) goto end;
497                                 s->state=SSL3_ST_SR_FINISHED_A;
498                         s->init_num=0;
499                         break;
500
501                 case SSL3_ST_SR_FINISHED_A:
502                 case SSL3_ST_SR_FINISHED_B:
503                         s->d1->change_cipher_spec_ok = 1;
504                         ret=ssl3_get_finished(s,SSL3_ST_SR_FINISHED_A,
505                                 SSL3_ST_SR_FINISHED_B);
506                         if (ret <= 0) goto end;
507                         dtls1_stop_timer(s);
508                         if (s->hit)
509                                 s->state=SSL_ST_OK;
510                         else if (s->tlsext_ticket_expected)
511                                 s->state=SSL3_ST_SW_SESSION_TICKET_A;
512                         else
513                                 s->state=SSL3_ST_SW_CHANGE_A;
514                         s->init_num=0;
515                         break;
516
517                 case SSL3_ST_SW_SESSION_TICKET_A:
518                 case SSL3_ST_SW_SESSION_TICKET_B:
519                         ret=ssl3_send_new_session_ticket(s);
520                         if (ret <= 0) goto end;
521                         s->state=SSL3_ST_SW_CHANGE_A;
522                         s->init_num=0;
523                         break;
524
525 #if 0
526                 // TODO(davidben): Implement OCSP stapling on the server.
527                 case SSL3_ST_SW_CERT_STATUS_A:
528                 case SSL3_ST_SW_CERT_STATUS_B:
529                         ret=ssl3_send_cert_status(s);
530                         if (ret <= 0) goto end;
531                         s->state=SSL3_ST_SW_KEY_EXCH_A;
532                         s->init_num=0;
533                         break;
534 #endif
535
536                 case SSL3_ST_SW_CHANGE_A:
537                 case SSL3_ST_SW_CHANGE_B:
538
539                         s->session->cipher=s->s3->tmp.new_cipher;
540                         if (!s->method->ssl3_enc->setup_key_block(s))
541                                 { ret= -1; goto end; }
542
543                         ret=dtls1_send_change_cipher_spec(s,
544                                 SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
545
546                         if (ret <= 0) goto end;
547
548                         s->state=SSL3_ST_SW_FINISHED_A;
549                         s->init_num=0;
550
551                         if (!s->method->ssl3_enc->change_cipher_state(s,
552                                 SSL3_CHANGE_CIPHER_SERVER_WRITE))
553                                 {
554                                 ret= -1;
555                                 goto end;
556                                 }
557
558                         dtls1_reset_seq_numbers(s, SSL3_CC_WRITE);
559                         break;
560
561                 case SSL3_ST_SW_FINISHED_A:
562                 case SSL3_ST_SW_FINISHED_B:
563                         ret=ssl3_send_finished(s,
564                                 SSL3_ST_SW_FINISHED_A,SSL3_ST_SW_FINISHED_B,
565                                 s->method->ssl3_enc->server_finished_label,
566                                 s->method->ssl3_enc->server_finished_label_len);
567                         if (ret <= 0) goto end;
568                         s->state=SSL3_ST_SW_FLUSH;
569                         if (s->hit)
570                                 {
571                                 s->s3->tmp.next_state=SSL3_ST_SR_FINISHED_A;
572                                 }
573                         else
574                                 {
575                                 s->s3->tmp.next_state=SSL_ST_OK;
576                                 }
577                         s->init_num=0;
578                         break;
579
580                 case SSL_ST_OK:
581                         /* clean a few things up */
582                         ssl3_cleanup_key_block(s);
583
584 #if 0
585                         BUF_MEM_free(s->init_buf);
586                         s->init_buf=NULL;
587 #endif
588
589                         /* remove buffering on output */
590                         ssl_free_wbio_buffer(s);
591
592                         s->init_num=0;
593
594                         if (s->renegotiate == 2) /* skipped if we just sent a HelloRequest */
595                                 {
596                                 s->renegotiate=0;
597                                 s->new_session=0;
598                                 
599                                 ssl_update_cache(s,SSL_SESS_CACHE_SERVER);
600                                 
601                                 s->ctx->stats.sess_accept_good++;
602                                 /* s->server=1; */
603                                 s->handshake_func=dtls1_accept;
604
605                                 if (cb != NULL) cb(s,SSL_CB_HANDSHAKE_DONE,1);
606                                 }
607                         
608                         ret = 1;
609
610                         /* done handshaking, next message is client hello */
611                         s->d1->handshake_read_seq = 0;
612                         /* next message is server hello */
613                         s->d1->handshake_write_seq = 0;
614                         s->d1->next_handshake_write_seq = 0;
615                         goto end;
616                         /* break; */
617
618                 default:
619                         OPENSSL_PUT_ERROR(SSL, dtls1_accept, SSL_R_UNKNOWN_STATE);
620                         ret= -1;
621                         goto end;
622                         /* break; */
623                         }
624                 
625                 if (!s->s3->tmp.reuse_message && !skip)
626                         {
627                         if (s->debug)
628                                 {
629                                 if ((ret=BIO_flush(s->wbio)) <= 0)
630                                         goto end;
631                                 }
632
633
634                         if ((cb != NULL) && (s->state != state))
635                                 {
636                                 new_state=s->state;
637                                 s->state=state;
638                                 cb(s,SSL_CB_ACCEPT_LOOP,1);
639                                 s->state=new_state;
640                                 }
641                         }
642                 skip=0;
643                 }
644 end:
645         /* BIO_flush(s->wbio); */
646
647         s->in_handshake--;
648
649         if (cb != NULL)
650                 cb(s,SSL_CB_ACCEPT_EXIT,ret);
651         return(ret);
652         }
653
654 int dtls1_send_hello_verify_request(SSL *s)
655         {
656         unsigned int msg_len;
657         unsigned char *msg, *buf, *p;
658
659         if (s->state == DTLS1_ST_SW_HELLO_VERIFY_REQUEST_A)
660                 {
661                 buf = (unsigned char *)s->init_buf->data;
662
663                 msg = p = &(buf[DTLS1_HM_HEADER_LENGTH]);
664                 /* Always use DTLS 1.0 version: see RFC 6347 */
665                 *(p++) = DTLS1_VERSION >> 8;
666                 *(p++) = DTLS1_VERSION & 0xFF;
667
668                 if (s->ctx->app_gen_cookie_cb == NULL ||
669                      s->ctx->app_gen_cookie_cb(s, s->d1->cookie, &(s->d1->cookie_len)) == 0)
670                         {
671                         OPENSSL_PUT_ERROR(SSL, dtls1_send_hello_verify_request, ERR_R_INTERNAL_ERROR);
672                         return 0;
673                         }
674
675                 *(p++) = (unsigned char) s->d1->cookie_len;
676                 memcpy(p, s->d1->cookie, s->d1->cookie_len);
677                 p += s->d1->cookie_len;
678                 msg_len = p - msg;
679
680                 dtls1_set_message_header(s, buf,
681                         DTLS1_MT_HELLO_VERIFY_REQUEST, msg_len, 0, msg_len);
682
683                 s->state=DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B;
684                 /* number of bytes to write */
685                 s->init_num=p-buf;
686                 s->init_off=0;
687                 }
688
689         /* s->state = DTLS1_ST_SW_HELLO_VERIFY_REQUEST_B */
690         return(dtls1_do_write(s,SSL3_RT_HANDSHAKE));
691         }